docker-claude/claude/Dockerfile

FROM node:24-alpine

# Upgrade npm to pull in patched bundled deps (cross-spawn, glob, minimatch, tar)
# CVEs: CVE-2024-21538, CVE-2025-64756, CVE-2026-26996/27903/27904, CVE-2026-23745/23950/24842/26960/29786/31802
RUN npm install -g npm@11.12.1

# Fix CVE-2026-33671: upgrade picomatch 4.0.3 → 4.0.4 in every location it appears
RUN find /usr/local/lib/node_modules -name "picomatch" -type d | while read dir; do \
      ver=$(node -p "require('$dir/package.json').version" 2>/dev/null); \
      [ "$ver" = "4.0.3" ] || continue; \
      echo "Patching picomatch in $dir"; \
      prefix=$(dirname "$(dirname "$dir")"); \
      npm install --prefix "$prefix" picomatch@4.0.4 \
        --no-save --no-audit --no-fund 2>/dev/null || true; \
    done

# Install runtime dependencies
RUN apk add --no-cache \
  git \
  curl \
  ca-certificates \
  bash

# Install kubectl — architecture-aware, checksum-verified
RUN KUBECTL_VERSION=$(curl -fsSL https://dl.k8s.io/release/stable.txt) \
  && ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') \
  && curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" \
  -o /usr/local/bin/kubectl \
  && curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256" \
  -o /tmp/kubectl.sha256 \
  && echo "$(cat /tmp/kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c \
  && rm /tmp/kubectl.sha256 \
  && chmod +x /usr/local/bin/kubectl

# System-level Claude Code policy — owned by root, not writable by the node user.
# Restricts available models; cannot be bypassed via CLI flags or env vars.
COPY settings.json /etc/claude-code/managed-settings.json

# Install Claude Code stable release
RUN curl -fsSL https://claude.ai/install.sh | bash -s stable

# Install MCP servers globally — entry points land in /usr/local/lib/node_modules/
RUN npm install -g \
  @modelcontextprotocol/server-github \
  @yoda.digital/gitlab-mcp-server \
  @aashari/mcp-server-atlassian-jira \
  @aashari/mcp-server-atlassian-confluence

# Patch transitive CVEs bundled inside MCP server node_modules:
#   CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2
#   GHSA-345p-7cg4-v4c7           — @modelcontextprotocol/sdk <1.26.0
#   CVE-2026-33671                — picomatch <4.0.4 (also covers npm bundled copy above)
#   GHSA-f886-m6hf-6m8v           — brace-expansion <5.0.5
RUN for pkg_dir in \
      /usr/local/lib/node_modules/@modelcontextprotocol/server-github \
      /usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \
      /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-jira \
      /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-confluence; do \
    [ -d "$pkg_dir" ] && \
      cd "$pkg_dir" && \
      npm install --no-audit --no-fund \
        @modelcontextprotocol/sdk@1.26.0 \
        picomatch@4.0.4 \
        brace-expansion@5.0.5 \
      || true; \
  done \
  && find /usr/local/lib/node_modules -name "picomatch" -type d | while read dir; do \
      ver=$(node -p "require('$dir/package.json').version" 2>/dev/null); \
      [ "$ver" = "4.0.3" ] || continue; \
      prefix=$(dirname "$(dirname "$dir")"); \
      npm install --prefix "$prefix" picomatch@4.0.4 \
        --no-save --no-audit --no-fund 2>/dev/null || true; \
    done \
  && cd /tmp \
  && npm pack brace-expansion@5.0.5 --no-audit 2>/dev/null \
  && tar xzf brace-expansion-5.0.5.tgz \
  && find /usr/local/lib/node_modules -name "package.json" -path "*/brace-expansion/package.json" \
     | xargs grep -l '"version": "5.0.4"' 2>/dev/null \
     | while read pj; do \
         echo "Patching brace-expansion at $(dirname "$pj")"; \
         cp -r /tmp/package/. "$(dirname "$pj")/"; \
       done \
  && rm -rf /tmp/brace-expansion-5.0.5.tgz /tmp/package

# Remove any npm auth credentials written during install.
# npm automatically picks up GITHUB_TOKEN and NPM_TOKEN from the build environment
# and persists them in .npmrc files — scrub all of them before the image is finalised.
RUN find /root /home /usr/local/etc -name ".npmrc" -o -name "npmrc" \
      | xargs grep -l "_authToken\|_auth\b" 2>/dev/null \
      | xargs rm -f 2>/dev/null || true \
  && npm config delete //npm.pkg.github.com/:_authToken 2>/dev/null || true \
  && npm config delete //registry.npmjs.org/:_authToken 2>/dev/null || true

# Workspace and Claude config dir — owned by the built-in node user (uid 1000).
# Pre-creating ~/.claude ensures the named volume is initialised with the
# correct ownership when first mounted (Docker copies image content into
# an empty named volume on first use).
RUN mkdir -p /workspace /home/node/.claude \
  && chown -R node:node /workspace /home/node/.claude

USER node
WORKDIR /workspace

# Proxy traffic through sidecar — override at runtime if needed
ENV HTTP_PROXY=http://proxy:3128
ENV HTTPS_PROXY=http://proxy:3128
ENV ALL_PROXY=http://proxy:3128
ENV NO_PROXY=localhost,127.0.0.1

ENTRYPOINT ["claude"]
chore(docker): upgrade base image to node:24-alpine (LTS) Node 24 (Krypton) is the current LTS release. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 15:16:52 +02:00			`FROM node:24-alpine`
initial 2026-04-14 20:11:24 +02:00
fix(docker): upgrade npm to remediate 11 HIGH CVEs in bundled dependencies All findings are in npm's own bundled packages (cross-spawn, glob, minimatch, tar). Upgrading npm to latest pulls in the patched versions: - cross-spawn ≥7.0.5 (CVE-2024-21538) - glob ≥10.5.0 (CVE-2025-64756) - minimatch ≥9.0.6 (CVE-2026-26996, CVE-2026-27903, CVE-2026-27904) - tar ≥7.5.11 (CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 15:14:58 +02:00			`# Upgrade npm to pull in patched bundled deps (cross-spawn, glob, minimatch, tar)`
			`# CVEs: CVE-2024-21538, CVE-2025-64756, CVE-2026-26996/27903/27904, CVE-2026-23745/23950/24842/26960/29786/31802`
chore(docker): pin npm to 11.12.1 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 15:15:51 +02:00			`RUN npm install -g npm@11.12.1`
fix(docker): upgrade npm to remediate 11 HIGH CVEs in bundled dependencies All findings are in npm's own bundled packages (cross-spawn, glob, minimatch, tar). Upgrading npm to latest pulls in the patched versions: - cross-spawn ≥7.0.5 (CVE-2024-21538) - glob ≥10.5.0 (CVE-2025-64756) - minimatch ≥9.0.6 (CVE-2026-26996, CVE-2026-27903, CVE-2026-27904) - tar ≥7.5.11 (CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 15:14:58 +02:00
fix(docker): patch picomatch 4.0.3 → 4.0.4 (CVE-2026-33671) npm@11.12.1 still bundles picomatch@4.0.3. Add a find-loop after the npm upgrade to patch every occurrence in node_modules in place. Also restore and clean up the MCP server install and CVE patch blocks that were accidentally commented out. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 16:05:05 +02:00			`# Fix CVE-2026-33671: upgrade picomatch 4.0.3 → 4.0.4 in every location it appears`
			`RUN find /usr/local/lib/node_modules -name "picomatch" -type d \| while read dir; do \`
			`ver=$(node -p "require('$dir/package.json').version" 2>/dev/null); \`
			`[ "$ver" = "4.0.3" ] \|\| continue; \`
			`echo "Patching picomatch in $dir"; \`
			`prefix=$(dirname "$(dirname "$dir")"); \`
			`npm install --prefix "$prefix" picomatch@4.0.4 \`
			`--no-save --no-audit --no-fund 2>/dev/null \|\| true; \`
			`done`

refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			`# Install runtime dependencies`
			`RUN apk add --no-cache \`
use new native install 2026-04-15 19:18:39 +02:00			`git \`
			`curl \`
			`ca-certificates \`
feat: remove webui 2026-04-15 21:59:08 +02:00			`bash`
initial 2026-04-14 20:11:24 +02:00
feat(claude): install kubectl into container image 2026-04-15 08:47:32 +02:00			`# Install kubectl — architecture-aware, checksum-verified`
			`RUN KUBECTL_VERSION=$(curl -fsSL https://dl.k8s.io/release/stable.txt) \`
use new native install 2026-04-15 19:18:39 +02:00			`&& ARCH=$(uname -m \| sed 's/x86_64/amd64/;s/aarch64/arm64/') \`
			`&& curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" \`
			`-o /usr/local/bin/kubectl \`
			`&& curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256" \`
			`-o /tmp/kubectl.sha256 \`
			`&& echo "$(cat /tmp/kubectl.sha256) /usr/local/bin/kubectl" \| sha256sum -c \`
			`&& rm /tmp/kubectl.sha256 \`
			`&& chmod +x /usr/local/bin/kubectl`
feat(claude): install kubectl into container image 2026-04-15 08:47:32 +02:00
feat(policy): restrict available models to sonnet, opus, haiku Add /etc/claude-code/managed-settings.json with availableModels set to the three Anthropic model families. The file is root-owned inside the container so the node user cannot modify it. Managed settings cannot be bypassed via --model flag, /model command, or ANTHROPIC_MODEL env var. 2026-04-14 22:55:02 +02:00			`# System-level Claude Code policy — owned by root, not writable by the node user.`
			`# Restricts available models; cannot be bypassed via CLI flags or env vars.`
refactor(policy): rename managed-settings.json to settings.json 2026-04-14 22:59:25 +02:00			`COPY settings.json /etc/claude-code/managed-settings.json`
feat(policy): restrict available models to sonnet, opus, haiku Add /etc/claude-code/managed-settings.json with availableModels set to the three Anthropic model families. The file is root-owned inside the container so the node user cannot modify it. Managed settings cannot be bypassed via --model flag, /model command, or ANTHROPIC_MODEL env var. 2026-04-14 22:55:02 +02:00
docs: updated inline docs 2026-04-15 22:43:00 +02:00			`# Install Claude Code stable release`
fix: ash doesn't seem to work with the claude script 2026-04-16 09:48:42 +02:00			`RUN curl -fsSL https://claude.ai/install.sh \| bash -s stable`
use new native install 2026-04-15 19:18:39 +02:00
Revert "feat: remove MCP servers" This reverts commit a9ff78b49449a563de402eaaf0e9d423c009f389. 2026-04-20 15:32:29 +02:00			`# Install MCP servers globally — entry points land in /usr/local/lib/node_modules/`
fix(docker): patch picomatch 4.0.3 → 4.0.4 (CVE-2026-33671) npm@11.12.1 still bundles picomatch@4.0.3. Add a find-loop after the npm upgrade to patch every occurrence in node_modules in place. Also restore and clean up the MCP server install and CVE patch blocks that were accidentally commented out. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 16:05:05 +02:00			`RUN npm install -g \`
			`@modelcontextprotocol/server-github \`
			`@yoda.digital/gitlab-mcp-server \`
			`@aashari/mcp-server-atlassian-jira \`
			`@aashari/mcp-server-atlassian-confluence`

			`# Patch transitive CVEs bundled inside MCP server node_modules:`
			`# CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2`
fix(dockerfile): bump MCP SDK 1.26.0, patch brace-expansion 5.0.5 (GHSA-345p-7cg4-v4c7, GHSA-f886-m6hf-6m8v) Add comprehensive picomatch sweep for nested node_modules; use direct tarball-copy strategy to patch brace-expansion inside npm's own bundled node_modules where npm-install --prefix cannot reach. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 23:23:27 +02:00			`# GHSA-345p-7cg4-v4c7 — @modelcontextprotocol/sdk <1.26.0`
			`# CVE-2026-33671 — picomatch <4.0.4 (also covers npm bundled copy above)`
			`# GHSA-f886-m6hf-6m8v — brace-expansion <5.0.5`
fix(docker): patch picomatch 4.0.3 → 4.0.4 (CVE-2026-33671) npm@11.12.1 still bundles picomatch@4.0.3. Add a find-loop after the npm upgrade to patch every occurrence in node_modules in place. Also restore and clean up the MCP server install and CVE patch blocks that were accidentally commented out. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 16:05:05 +02:00			`RUN for pkg_dir in \`
			`/usr/local/lib/node_modules/@modelcontextprotocol/server-github \`
			`/usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \`
			`/usr/local/lib/node_modules/@aashari/mcp-server-atlassian-jira \`
			`/usr/local/lib/node_modules/@aashari/mcp-server-atlassian-confluence; do \`
			`[ -d "$pkg_dir" ] && \`
			`cd "$pkg_dir" && \`
			`npm install --no-audit --no-fund \`
fix(dockerfile): bump MCP SDK 1.26.0, patch brace-expansion 5.0.5 (GHSA-345p-7cg4-v4c7, GHSA-f886-m6hf-6m8v) Add comprehensive picomatch sweep for nested node_modules; use direct tarball-copy strategy to patch brace-expansion inside npm's own bundled node_modules where npm-install --prefix cannot reach. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 23:23:27 +02:00			`@modelcontextprotocol/sdk@1.26.0 \`
fix(docker): patch picomatch 4.0.3 → 4.0.4 (CVE-2026-33671) npm@11.12.1 still bundles picomatch@4.0.3. Add a find-loop after the npm upgrade to patch every occurrence in node_modules in place. Also restore and clean up the MCP server install and CVE patch blocks that were accidentally commented out. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 16:05:05 +02:00			`picomatch@4.0.4 \`
fix(dockerfile): bump MCP SDK 1.26.0, patch brace-expansion 5.0.5 (GHSA-345p-7cg4-v4c7, GHSA-f886-m6hf-6m8v) Add comprehensive picomatch sweep for nested node_modules; use direct tarball-copy strategy to patch brace-expansion inside npm's own bundled node_modules where npm-install --prefix cannot reach. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 23:23:27 +02:00			`brace-expansion@5.0.5 \`
fix(docker): patch picomatch 4.0.3 → 4.0.4 (CVE-2026-33671) npm@11.12.1 still bundles picomatch@4.0.3. Add a find-loop after the npm upgrade to patch every occurrence in node_modules in place. Also restore and clean up the MCP server install and CVE patch blocks that were accidentally commented out. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 16:05:05 +02:00			`\|\| true; \`
fix(dockerfile): bump MCP SDK 1.26.0, patch brace-expansion 5.0.5 (GHSA-345p-7cg4-v4c7, GHSA-f886-m6hf-6m8v) Add comprehensive picomatch sweep for nested node_modules; use direct tarball-copy strategy to patch brace-expansion inside npm's own bundled node_modules where npm-install --prefix cannot reach. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 23:23:27 +02:00			`done \`
			`&& find /usr/local/lib/node_modules -name "picomatch" -type d \| while read dir; do \`
			`ver=$(node -p "require('$dir/package.json').version" 2>/dev/null); \`
			`[ "$ver" = "4.0.3" ] \|\| continue; \`
			`prefix=$(dirname "$(dirname "$dir")"); \`
			`npm install --prefix "$prefix" picomatch@4.0.4 \`
			`--no-save --no-audit --no-fund 2>/dev/null \|\| true; \`
			`done \`
			`&& cd /tmp \`
			`&& npm pack brace-expansion@5.0.5 --no-audit 2>/dev/null \`
			`&& tar xzf brace-expansion-5.0.5.tgz \`
			`&& find /usr/local/lib/node_modules -name "package.json" -path "*/brace-expansion/package.json" \`
			`\| xargs grep -l '"version": "5.0.4"' 2>/dev/null \`
			`\| while read pj; do \`
			`echo "Patching brace-expansion at $(dirname "$pj")"; \`
			`cp -r /tmp/package/. "$(dirname "$pj")/"; \`
			`done \`
			`&& rm -rf /tmp/brace-expansion-5.0.5.tgz /tmp/package`
fix(docker): patch picomatch 4.0.3 → 4.0.4 (CVE-2026-33671) npm@11.12.1 still bundles picomatch@4.0.3. Add a find-loop after the npm upgrade to patch every occurrence in node_modules in place. Also restore and clean up the MCP server install and CVE patch blocks that were accidentally commented out. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 16:05:05 +02:00
fix(dockerfile): scrub npm auth tokens written during image build npm automatically picks up GITHUB_TOKEN / NPM_TOKEN from the build environment and writes them as _authToken entries in /root/.npmrc and /usr/local/etc/npmrc during 'npm install -g'. Add a cleanup RUN step that removes any npmrc file containing auth tokens before the image is finalised, and explicitly deletes the two most common registry auth keys via 'npm config delete'. Also add .npmrc to .dockerignore as an extra guard against accidentally COPY-ing a local credential file into the build context. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-20 16:37:00 +02:00			`# Remove any npm auth credentials written during install.`
			`# npm automatically picks up GITHUB_TOKEN and NPM_TOKEN from the build environment`
			`# and persists them in .npmrc files — scrub all of them before the image is finalised.`
			`RUN find /root /home /usr/local/etc -name ".npmrc" -o -name "npmrc" \`
			`\| xargs grep -l "_authToken\\|_auth\b" 2>/dev/null \`
			`\| xargs rm -f 2>/dev/null \|\| true \`
			`&& npm config delete //npm.pkg.github.com/:_authToken 2>/dev/null \|\| true \`
			`&& npm config delete //registry.npmjs.org/:_authToken 2>/dev/null \|\| true`

refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			`# Workspace and Claude config dir — owned by the built-in node user (uid 1000).`
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions. 2026-04-14 22:47:04 +02:00			`# Pre-creating ~/.claude ensures the named volume is initialised with the`
			`# correct ownership when first mounted (Docker copies image content into`
			`# an empty named volume on first use).`
refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			`RUN mkdir -p /workspace /home/node/.claude \`
use new native install 2026-04-15 19:18:39 +02:00			`&& chown -R node:node /workspace /home/node/.claude`
initial 2026-04-14 20:11:24 +02:00
refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			`USER node`
initial 2026-04-14 20:11:24 +02:00			`WORKDIR /workspace`

			`# Proxy traffic through sidecar — override at runtime if needed`
			`ENV HTTP_PROXY=http://proxy:3128`
			`ENV HTTPS_PROXY=http://proxy:3128`
			`ENV ALL_PROXY=http://proxy:3128`
			`ENV NO_PROXY=localhost,127.0.0.1`

			`ENTRYPOINT ["claude"]`